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Re: Signature Verification Patent Search 

Dear Paul: 

We would like a novelty search directed to the following invention: 

a) measuring a product characteristic; 

b) encoding the product characteristic and signing the code; 

c) writing the signed code on the product. 

The invention also includes a product having thereon a signed code which is indicative of a 
characteristic of the product. We refer to this signing method as "signature verification" and 
signature verification for other purposes is a well knovm technique used in particular m 
association with cryptography. 

Enclosed for your benefit are articles fi-om an October, 1998 issue of Scientific America which 
explain cryptography and signature verification in general. Our signature verification invention 
is to be hopefully incorporated into our DigiCal oximeter sensors. Essentially what we will do is 
measure one or more sensor characteristics, such as LED wavelength, and identify other sensor 
characteristics such as the type of sensor be it disposable or reusable, its size, (i.e., adult, 
pediatric), and possibly other features of the sensor, and encode these characteristics in a digital 
message, then sign the message, and record the signed message on a memory chip on the sensor. 
Since our message will be short, we envision the message as being in an envelope within the 
signature (as opposed to using a separate signature derived firom a hash function as taught in the 
Scientific America articles). When the sensor is plugged into a monitor, the monitor will read 
the signed message and check the signature for authenticity. If the signature is accurate and 
authentic, the message is verified and the oximeter sensor will display physiological data. If the 
signature is not confirmed to be authentic, the monitor will, in all probability, not display data, 
much the same as occurs today if a sensor without an appropriate RCAL resistor is plugged into 
our monitor. Data will be signed and written on a sensor using a private key, and the monitor 
will read and verify the data using an asymmetric public key. 
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Signature verification has several advantages. First, if errors are introduced during the writing or 
reading processes, the signature will not be read as authentic and hence the monitor will not 
display physiological data which in all probability would be inaccurate. Hence, it detects errors. 
Second, signature verification will prevent third parties from manufacturing uncalibraled sensors 
and plugging them into our monitors so as to produce inaccurate physiological data since third 
parties, in all probability, will not be able to sign their data without access to our private key, 
which will be kept secret. Third, signature verification will provide some level of security of our 
tradesecrets, such as our calibration coefficients, since our public key in our monitor will also be 
maintained secret, though admittedly a motivated third party would probably be able to reverse 
engineer our public key by disassembling and decompiling our monitor software. However, our 
private key cannot be derived from knowledge of the public key. 

I know of no prior art which teaches recording and signing data regarding an object's 
characteristic on that object for later verification by an instrument usable with the object. That is 
the primary concept we wish searched. In addition, if such has been done in the prior art, we 
would like to know if anyone has taught doing so using asymmetric keys as opposed to 
symmetric keys. 

If the concept turns out to be novel and patentable, we would desire a method of manufacture 
claim, and product claims, >yith product claims including sensor claims, monitor claims, and 
sensor-monitor combination claims. 

Please telephone me after you have reviewed the above to discuss any questions you may have 
and projected time lines to complete the search, analyze the search results, and hopefully begin 
ion preparation process. 



Deimis E. Kovach 

Staff Vice President, Legal 

Intellectual Property 
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^ Digital Certificates 

by Warwick Ford, VeriSign 



Digital certificates play an essential role in public-key 
cryptography; a method widely used on the Internet 
to keep communications secure. To send and re- 
ceive messages with this method, a computer user must 
have a pair of cryptographic keys— a private key and a pub- 
lic key— which are long strings of data, usually containing 
500 to 1,000 bits. The user keeps the private key in a safe 
place — encrypted on a computer's hard drive, for example — 
but makes the public key known to the people with whom 
he or she wants to communicate. 

Let's say that Alice wants to send a message to Bob. Because 
she wants Bob to be sure that the message is really coming 



from her, Alice uses her private key to create a digital signa- 
ture, which accompanies the message. Bob uses Aiice's pub- 
lic key to verify the signature. But how can Bob be sure that 
the public key actually belongs to Alice? An impostor could 
create her own key pair and send the public key to Bob, 
claiming that it belongs to Alice. To prevent such a possibili- 
ty, Alice must obtain a digital certificate, a data item issued 
by a widely trusted certification authority, such as VeriSign 
or GTE CyberTrust or an authority set up by .Alice's compa- 
ny. The digital certificate can be thought of as the cyberspace 
equivalent of a driver's license. It confirms that a particular 
public key belongs to a particular person or entity. 



Alice uses cryptographic software to generate a private key (o) and a public 
key (b). She sends the public key to a certification authority and asks for a 
digital certificate. The authority needs to authenticate Alice's identity; de- 
pending on the type of certificate, this may involve verifying private infor- 
mation that Alice supplies. If her credentials check out, the authority issues a 
digital certificate (c) affirming that the public key belongs to Alice. Attached 
to the certificate is the authority's digital signature, which can be verified by 
anyone who knows the authorit/s public key. 




The certification authority's public key 
{d) is distributed to anyone who needs 
It, including Bob. The key is typically 
embedded in Web browsers and other 
application software used for secure 
computer communications. 
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Alice digitally signs her message to 
Bob. First, she applies a mathematical 
formula called a hash function to the 
message. This formula creates a mes- 
sage digest, which Alice encrypts with 
her private key to make the digital sig- 
nature (c). She sends the signature to 
Bob along with the message (f). She 
also attaches her digital certificate, 
which includes her public key. 




Bob uses the certification authority's 
public key to verify the authorit/s digital 
signature on the certificate. Bob can 
now be sure that the certificate is au- 
thentic—and that the public key in the 
certificate belongs to Alice. Bob then 
uses this key to decrypt Alice's digital 
signature, which re-creates the message 
digest. Finally, Bob applies the hash 
function to Alice's message. If the mes- 
sage digest produced this way is equal 
to the message digest decrypted from 
Alice's digital signature, Bob can be cer- 
tain that the message is indeed from Al- 
ice and that it has not been tampered 
with by anyone else on the network. 
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How Computer Security Works 



Cryptography 
for the Internet 

E-mail and other information sent electronically are like digital 
postcards— they afford little privacy. Well-designed cryptography 
systems can ensure the secrecy of such transmissions 

by Philip R. Zimmermann 



Sending letters through the post office might take days, 
but at least the correspondence is guaranteed some de- 
gree of privacy. E-mail delivered over the Internet, on 
the other hand, can be blindihgly fast but is highly suscep- 
tible to electronic eavesdroppers. One way to inaease the 
privacy of such transmissions is to encrypt them, scrambling 
the information in complex ways to render it unintelligible 
to anyone but the intended recipient. 

Since the 1980s the development of sophisticated algo- 
rithms and fast but affordable computer hardware have 
made powerful, military-grade cryptographic systems avail- 



able to millions of people with ordinary personal comput- 
ers. Recent technological improvements promise to make 
such systems increasingly resistant to even the most ad- 
vanced cipher-cracking techniques. 

Out from the Shadows . 

Four decades ago the Pentagon's requirements for tiny 
custom circuits to fit into missiles and spacecraft were 
the driving force behind the U.S. electronics industry. To- 
day civilian demands dominate, and the military currently 
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satisfies most of its needs with off-the-shelf products de- 
signed for the much larger consumer market. The same 
thing is happening with cryptography. 

Until the mid-1970s the National Security Agency (NSA) 
had a virtual monopoly on U.S. encryption technology, a 
fielithM was kept shrouded in secrecy. Then, in 1976, the 
seminal article "New Directions in Cryptography/' in which 
Whitfield Diffie and Martin E. Hellman of Stanford Univer- 
sity first described "public-key cryptography" in the open 
literature, forever changed the landscape. In the years since 
that publication, an energetic cryptographic community in 
academia and industry has emerged, publishing an ever in- 
creasing number of papers and building a mature discipline. 
The growing popularity of the Internet — and people's con- 
cerns about the privacy of that medium — has only inten- 
sified the trend. Today some of the best ciphers and systems 
are being developed by cryptographers at universities and 
in the private sector all over the world. In faa, the NSA is 
now beginning to buy commercial products for a portion of 
its cryptographic needs. 

Why was Diffie and Hellman's introduction of public-key 
cryptography so crucial? In conventional cryptosystems, a 
single key is used for both encryption and decryption. Such 
systems, called symmetric, require the key to be transmitted 
over a secure channel— a process that is often inconvenient. 
After all, if a secure channel exists, why is encryption need- 
ed in the first place? This limitation hobbled cryptography. 

Diffie and Hellman removed that constraint. Public-key 
cryptography allows the participants to communicate with- 
out requiring a secret means of delivering the keys. Such 
asymmetric systems rely on a pair of keys that are different 



but complementary. Each key unlocks the message that the 
other key encrypts, but the process is not reversible: the key 
used to encrypt a message cannot be used to decrypt it. 
Thus, one of the complementary keys (public) can be dis- 
seminated widely, whereas the other key (private) is held 
only by its owner. When Bob wants to send a message to Al- 
ice," he^ can use her public key to encrypt the information, 
which she will then use her private key to decrypt. 

Public-key cryptosystems are based on mathematical prob- 
lems that are easy to compute in one direction but painfully 
slow to solve in the reverse. The two main public-key algo- 
rithms are the Diffie-Hellman (and its variants, such as the 
Digital Signature Standard from the National Institute of 
Standards and Technology, ElGamal and elliptic curve ap- 
proaches) and RSA, developed at the Massachusetts Insti- 
tute of Technology by computer scientists Ronald L. Rivest, 
Adi Shamir and Leonard M. Adleman. 

ENCRYPTING A PRIVATE MESSAGE that Bob will send to Alice over the 
Internet requires several steps. In this conceptual schematic. Bob first 
computes a hash of the text [see diagram on page 1 73). He then en- 
crypts the hash using his private key [see box on next page]. The result- 
ing information (blue, beiow) serves as Bob's "signature." Bob com- 
presses the signature and his message elertronically (purple) and enci- 
phers the file {green) using a particular session key. Bob encrypts this 
key using Alice's public key, and the result (orange) is added to the mes- 
sage. Finally, the file is converted Into alphanumeric characters (red) for 
transmission over the Internet. At the receiving end, the steps are es- 
sentially reversed, with Alice using her private key to decrypt the ses- 
sion key, which she can then use to decipher the rest of the message. 



. The former approach uses disaete logarithms. It is simple 
to compute modulo p: just raise ^ to the x power, divide 
that quantity by a large prime number and then take the 
remainder of that operation. But given g, p and the value of 
g"" modulo p, it is infeasible to recover x [see "The Mathe- 
-maties of- PubUc-Key Cryptography/' by Martin L Hellman; 
SCIENTIFIC AMERICAN, August 1979]. 

The RSA system is based on the difficulty of factoring. It is 
straightforward to multiply two large prime numbers to- 
gether, but it is extremely difficult to factor that huge com- 
posite back into its two primes [see "Mathematical Games/' 
by Martin Gardner; SClENTinc AMERICAN, August 1977]. 
Another beauty of public-key cryptography is that it can 
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be used for message authentication: a recipient can verify . 
the identity of the sender. When Bob transmits a message to 
Alice, he first encrypts it with his private key, then reencrypts 
the encrypted message with Alice's public key. Alice, after 
receiving the transmission, reverses the steps. She first de- 
crypts the message with her own private key, then decrypts 
it again' with Bob's public key. If the final text is legible, Al- 
ice can be confident that Bob actually wrote the message. 

Of course, all this encrypting and decrypting requires 
myriad mathematical calculations. But software applications, 
such as PGP, running on PCs can automate the process. Us- 
ing one of those packages, Bob and Alice need only press 
the "encrypt" and "decrypt" buttons on their computers, 
and the number crunching is performed behind the scenes. 

For all its innovation, public-key cryptography has two 
severe limitations. First, because of its relatively slow speed, 
the technology is impractical for encrypting large messages. 
Second, and perhaps more important, public-key cryptogra- 
phy sometimes allows patterns in a message to survive the 
encryption process. The patterns are thus detectable in the 
enciphered text, making the technology vuhierable to crypt- 
analysis. (Cryptography is the science of making ciphers, 
cryptanalysis is the study of breaking them, and cryptology 
is both disciplines.) 

Symmetric Workhorses 

Consequentiy, the bulk of encryption is usually per- 
formed by faster and more secure symmetric ciphers, 
with public-key cryptography limited to the small— but es- 
sential—function of exchanging the symmetric keys. 
Specifically, Bob encrypts his message with a quick and 
y strong symmetric cipher. He then needs to^send Alice the 
J^^^Pl''r:::^^^$^,S^ ' V v-i^^''!^ :-:p;ilvsynmietric key'thiat he used, so he enciphers it wlth^her " 

m rorf^^ cryptography was hami^^ by the'sdjcailed 1^ . ::S:public key and attaches the result to his encrypted J^es^e. 
%r.^(J:ian5e ^ Specifically, if Bob wanted to.serid V^^^ ^ decrypt the symmetric key witii her private key so 

-^|n^pher&^^^^^ she can use that information to decrypt the re^t of 

^^e!:enqyptio^^ had used. Public-k^ crypto^erris Bob's message. S'^-t^^^'^ - 

^vercaijme this limitation by relying on clever nfiathematics; , authentication, Bob again does not tise public-key 

min' the Diffie-Hellman algorithm, which helped to spawn the ^::j^tography to "sign" his transmission directiy. histead he 
i^lS of pubiic-key cryptography, Alice uses her secret number x to ^^^j^putes a hash, or fingerprint, of his message. Such math- 
«,^^^j<ilate ^^ sends that quantity to Bob. On his end. Bob uses gmatical procedures' can be used to condense an input of 
l^hls Secret nuitiber y to compute gy and sends that to Alice. (Note ^ ^^^^^ length, typically 160 bits long, 

t^^i^ihew^di 9 »s publicly known.) After Alice receives this - ^ ' '''^^^ "^'^'^^ 

5j3p(fortrwU then compute which is equal to (g')^ 

,?i^?fShe'^y^^^^^ calculates. This quantity can become their 

shared, secret encryption key. ' .: • v : 
t^^-':' :r But someone who has intercepted Alice's 5* and Bob's g)' would 
&>ble to derive the secret x and y. So to thwart any eavesdrop- 
^^ip^rs; Alice and Bob insert the modulo function, which calls for the 
Temainderf^^ division operation. (For example, 14 modulo 4 
&^i-'-W'2 because the remainder of 14 divided by 4 is 2.) This added 
"twist ensures secrecy— instead of sending 5* to Bob, Alice trans- 
mits the value of modulo p, from which eavesdroppers would 

have great difficulty in recovering even if they knowp and p. , . .^ej;^l^has^ and decrypts it witii Bob's pubUc key 
:,^.,:^m^ additional mathemati^ the ^'^-^^^-^^ ti.eSt witii ti.e hash she com- 

p^C^evolved into cryptosystems that generate two complemenUo^ nuteXrself after decrypting the message. A match proves 

m^il^fiSSSs public Ly (Which she »^ di«eff.inatSi: temet, the most common method is ota^ ^ 
M&^^^^ .A w^. , to her. ^m^^lSfia.only fixed-size blocks, each usually 64 or 128 bits lon& so that 

itekey'' .: j^^i^'^R.-?. '^the encryption can be performed a chunk at .a ttaie^So- 



Public-Key Cryptpgrsphy 
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(A bit is the most basic unit of computer data. It stores one 
of two possible states, represented by 0 or 1.) Cryptbgraphi- 
cally strong hash functions, such as SHA-1, RIPEMD-160 
and MD5, are designed so that a forger would find It com- 
putationally Infeasible to devise a different message that 
would yield the same hash. In other words, the fingerpririts 
[ generated are virtually unique: two different messages will 
ahnost certainly yield distinct digests. 

After computing a hash of his message, Bob encrypts that 
information with his private key. He sends this ''signature" 
with the rest of his encrypted transmission. Alice receives 
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called block ciphers usually encrypt each chunk using mul- 
tiple rounds (the exact number is dictated by the particular 
algorithm) of mathematical operations, with the output of 
one iteration fed as input to the next. Each round often in- 
volves both permutation (shuffling "xtv" to "tvx") and sub- 
stitution (changing "tvx" to "cb2")- A section of the key 
helps to transform the data during the iterations. 

Feeding identical chunks of text to a block cipher will 
lead to encrypted blocks that are identical to each other. To 
suppress any such block-aligned patterns from forming 
(which would make the cipher easier to crack), block algo- 
rithms typically use some kind of chaining. Blocks that 
have already been encrypted are looped back to help en- 
crypt subsequent chunks. In effect, the encryption of a 
block of text depends on all the previous blocks. 

Block ciphers have symmetric keys that are usually 56, 
128 or 256 bits long. Well-known examples are the Data En- 
cryption Standard (DES), triple-DES, CAST, IDEA and Skip- 
jack. The workhorses of cryptography, block algorithms 
have biecome the focus of much recent research. 



than a pencil and paper. I simply looked for the most com- 
mon letter and assumed it was probably £ and then found 
the second most common letter and assigned Tto it, and so 
on. Clearly, despite its vast key space, this type of cipher is 
very weak. 

For a well-designed cryptography system, though, the key 
size does relate cfirectiy to the effort required to crack it. For 
block ciphers, the relation is usually exponential. Adding 
just one bit to the key length doubles the work the attacker 
must do to try all the keys. And doubling the key size 
squares the amount of effort. On average, a 128-bit key re- 
quires about 2^^^ (in decimal, 1.7 x 10^^) operations to break. 

Public-key algorithms are less sensitive. Typically, they 
have subexponential but superpolynomial key spaces, 
which means that doubling the length of the key increases 
the work substantially, but the amount is less than a squar- ^ 
ing of the work effort. To use RSA as an example, modem 
factoring algorithms can do much better than simply trying 
all the possible smaller prime numbers to factor a large. .; 
composite. Diffie-Hellman is also subexponential. For cpm- 



The Key Is the Key 

The most sensitive operation in cryptography is the gen- 
eration of keys. For a system to be as secure as possible, 
the keys should be numben that are truly random, unpre- 
dictable by an attacker. Such numbers are different from the 
deterministic pseudorandom sequences that computers gen- 
erate algorithmically for games and simulations. Truly ran- 
dom numbers can be derived only from the environmental 
"noise" of the physical world, such as the process of radio- 
active decay. ^ 

Such high-quality randomness is difficult to generate in a 
computer. One method is to measure the time, in microsec- 
onds, between each human-supplied keystroke, which is im- 
possible to predict. Data gathered in this way are not quite 
random'enough for generating keys directly, but the infor- 
mation can be passed through a hash function to distill the 
disorder. 

Interestingly, the only cipher that cryptologists have ever 
proved to be perfectly secure is the one-time pad (OTP), in 
which the key is as long as the message itself. In an OTP, a 
random sequence is used to encipher a message bit for bit — 
that is, the 34th bit of the key is used to alter the 34th bit of 
the message. The key must be truly random. It cannot be a 
pseudorandom sequence produced by a deterministic algo- 
rithm; otherwise the cipher may be crackable. OTPs are 
rarely used because of their impracticality: the key must be 
as long as the message, and it must be sent to the receiver 
over a secure channel. Moreover, it can be used only once, 
or an attacker could break the messages. 

Although many people think key size is the determining 
factor in cryptographic strength, an equally important crite- 
rion is the quality of the cipher's design. Consider a simple 
substitution cipher in which all j4s are changed to TVs, all Bs 
turned into Ks, all Cs transformed to Qs, and so on. The 
niunber of different vfays to rearrange the alphabet is given 
by 26 factorial (that is, 26 x 25 x 24 x ... 3 x 2 x 1). That 
quantity is roughly equivalent to 2^, a *key space" of dif- 
ferent combinations that is regarded as fairly respectable, 
requiring enormous computing resources to break if every 
possible key must be tried. Yet when I was a kid I would 
crack this type of ayptogram all the time with no more 




MESSAGE TO BE HASHED 



..I haue Just recetued luord that, if all goes according to 
plan, the merger uiill be brficial on Nouember 12th. Eric Is 
noui familiar uilth all of the necessary details, and he tuill 
be Joining your team effectiue Immediately. Chris mill be 
working closely with the lawyers to ensure that we fulfill 
ail of our requirements for due diligence. Obulously, because 
of strict SEC regulations, we must keep all Information on 
the upcoming deal In the strictest of confidence. I trust that 
you haue already... 
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OX01XOOX...XOOOXDOX 
MESSAGE DIGEST, OR HASH 

HASH ALGORITHM condenses a message into a digest, a digital finger- 
print that can be used to detect forgeries. The text of the message is 
first converted into binary form. (The letter A might be represented by 
00000, the letter B by 00001 , the letter C by 0001 0, and so on.) The . 
resulting string of Os and 1 s is then separated into equal-size blocks. 
Next, the chunks are fed In sequence as key material Into a cipher. 
The final output is the digest, or hash, of the original message. Note 
that a message of any length will always yield a digest of fixed size. 
The operation is called "one way* because it is virtually impossible to 
recover a message from Its hash. Also, the algorithm is designed so 
that any given t%vo messages will almost certainly yield distinct hash- 
es, and it is computationally Infeasible to find another message that 
produces the same hash jas a given message. Thus, a digest can serve 
as a "fingerprint* for its corresponding message. 
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parison's sake, a 3,000-bit RSA or Diffie-Hellman key re- 
quires about the same amount of work to crack as a 128-bit 
key for a block cipher. 

Still, block ciphers are hardly invincible. This year a spe- 
cial-purpose massively parallel machine built for less than 
$250,000 by the Electronic Frontier Foimdation, headquar- 
tered in San Francisco, broke a DES message by exhausting 
its 56-bit key space in less than a week. 

Brute force is not the only way to aack a dpheL Cryptan- 
alysts can apply powerful mathematical and statistical tools 
to find any shortcuts, perhaps by uncovering patterns in the 
encrypted text. Attempts to break ciphers can be grouped 
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the upcoming deal In the «tr|ctest of confliljyice^^ that 
* g du haue already... " ' 



: ^ BINARY CONVERSION OF MESSAGE 



CHAINING 
ALGORrTHM 



ENCRYPTION 



ENCRYPTION 



ENCRYPTION 



BINARY ENCRYPTION OF MESSAGE 

I 

ENCRYPTED MESSAGE 
...hlcdUJ0ecU2Hh/-^q5N2JCLapEcdqZBrmz/8bErhf2ql92ECID4iHRf 
poR8+J3RZPmHIIEJLclMqFMZyEMEeHSh8Re3BQukMED/CPVVME4d 
NJ*EgKcp2zhUP8nmhpBBiEITncV0o8Ciu3U5zHm9K5s2oF7G69gn 
NllUlcld8nUDI7aHpRaUZd0V64FgHnz6K/oKFHDf6mHypN0Gde6e8 
UCJcU/lll4*M$aHVh*dTSP8aJn94Bial0t/NdrlJ*fl60q1nafE0J/i/o 
6^cZhf«8ZpMy/m4cuy3UE3zeBqdQ08U6hltVtKz8y6httzRCC2dPI 
R75J6mgEBp2GagVtlg/Bo/MH7a3kUJ5/GST2NlcM^cNybm8lcflrJN 
4.iSMJDCz01nVIEHeamaEhqEz4flSI2KGBoHseLMSEGuVeZRKZkWZa 
0d3QCMte5uqJI5bVLFbQ03*mc3TlthlB*hcP8JE6l2BI^H0kengR0p 
U$CkMTq6*EHCHJEqUI+8Nalk/9hePz45UH//2lUPJKgJ4cKfUJz.., 

CHAINING ALGORITHM increases the security of block ciphers. A 
message is converted into a string of Os and 1 $, and the long sequence 
is then broken Into blocks of equal size. Before each of these chunks is 
encrypted. It Is first mathematically combined with the enciphered 
previous block. Thus, the encryption of the 23rd chunk depends on 
the enciphered 22nd Wock, which Itself was affected by the encryp- 
tk>n of the 21st block, and so on. Because of this feedback cha\n, an 
encrypted block depends on all the previous blocks, making the 
pher mof e difficult for ciyptanalysts to aack. 
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into three categories, depending on how much is known 
about the original message (called plaintext) and the corre- 
sponding enciphered transmission (called ciphertext). 

In some cases, all that the attackers have to work with is 
the ciphertext, so they have little to guide their efforts in 
guessing the key. Even a poorly designed cipher might be 
able to withstand such ciphertext-only attacks, -.f. -: 

But if the attackers know at least a part of the message— 
for instance, that the text begins with "Dear Mr. Jones"— the 
opportunities for success increase significantly. At a mini- 
mum, they can try different keys until they find one that 
decrypts the ''Dear Mr. Jones" part of the plaintext. Even if 
the attacker knows only the language (Russian or French or 
COBOL) of the plaintext, that information can be exploit- 
ed. If the message is in English, for example, the most com- 
mon word is probably "the." To thwart such known-plain- 
text attacks, some cryptography systems electronically com- 
press the message, squeezing out easOy predictable patterns 
in the plaintext, before encrypting it. 

Often an attacker knows much more. If a person steals a 
''smart" card containing crypto hardware, the thief can pre- 
sent perhaps bUlions of carefully chosen messages to the 
card and study the ciphertext output. Such chosen-plaln-A 
text attacks will crack a poorly designed cipher easily. An- \ 
other example is public-key systems. An attacker can write a j 
message, encrypt it with the public key (which is, after all, j 
public) and then analyze the resulting ciphertext : ;:• ; / 

Two very effective methods of cryptanaiysis, differential 
and linear, have recently been developed. Both approaches 
have been used to crack a number of well-known block ci- 
phers and to show that DES can be broken hundreds or 
thousands of times faster than by key exhaustion. . » 

In differential cryptaiialysis, introduced by Shamir and 
Eli Biham of Technion Israel Institute of Technology, many 
pairs of plaintext messages with carefully chosen differences 
are encrypted to find a corresponding pair of dphertexts 
that have a certain dissimilarity. When such a pair is found, 
it reveals information about the key. Linear cryptanaiysis, 
developed by Mitsuru Matsui of Mitsubishi Electric Corpo- 
ration, searches for correlations between plaintext, cipher- 
text and key that are true slightly more often than not The 
method then gathers statistics on large numbers of known 
plaintext-dphertext pairs, looking for biases that will dis- 
close clues about the key. 



Beware of Middlemen 



Though powerful, crypunalysis techniques usually re- 
quire a backbreaking number of computations. Often 
instead of trying to crack a cipher, it is easier to attack the 
protocol, or implementation, of that cipher. . . 

One potential threat is man-in-the-middle attacks, which 
are the biggest vulnerability of public-key cryptosystems. 
When Bob wants to send a message to Alice, he may be un- 
aware that Cindy is attempting to impersonate Alice. If 
Cindy can trick Bob into using her public key instead of Al- 
ice's, she will be able to decrypt Bob's message. 

The only way to prevent this type of attack is for Bob to 
confinn somehow that Alice's pubUc key is reaUy Alice's. 
Most of the complexity of well-designed implementations of 
public-key cryptosystems is devoted to this one particular 
vulnerability. One solution is to have a trusted third party 
verify and sign the keys. This approach, however, begs the 
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MIDDLEMAN ATTACK b the greatest vulnerability of public-key ciyT>- 
tosystems. If Qndy, an eavesdropper, can intercept transmissions be- 
tween Alice and Bob, she can trick Bob into using her g' instead of Al- 
ice's ^and similarly deceive Alice into using ^ instead of Bob's [see 
box on page 1 12\. Gndy wouW then be able to decrypt and reenoypt 
Alice's and Bob's messages to each other— all unbeknownst to the 
couple. The process is analogous to Alice and Bob talking on special, 
encrypted telephones vvhile Qndy listens in by using a pair of such 
phones to decrypt, then reenoypt, the transmission. 

major— and politically controyersial— question: Should the 
keys be certified in a top-down manner by government aur 
thorities or in a decentralized grassroots method by differ- 
ent entities, including various private companies and indi- 
viduals, allowing people to choose for themselves which key 
signers to trust? In fact, this issue is so crudal that I could 
have written this entire artide on it ^ 

As cipher-breaking techniques have improved, so have the 
algorithms for stronger cryptography. Recently the Natiour 
al Institute of Standards and Technology soUdted designs 
for the Advanced Encryption Standard (AES), a new block 
dpher to replace the DES, which has reached the end of Its 
useful life, mainly because of its short 56-bit key and 64-bit 
block size. The AES, which has been generating consider- 
able exdtement in the cryptography field, will use a key size 



( 

of 128, 192 or 256 bits to encrypt data in 128-bit blocks. 

Good AES designs will meet several criteria. They will of- 
fer flexibility in various key and block sizes; they will be effi- 
dent in setting up keys and in encr)T)ting and decrypting, 
particularly when implemented on 32-bit processors as well 
as on eight-bit miCToprocessors, such as in ''smart" cards, 
and-on -other hardware; and they will perform well in a 
wide range of applications, from satellite communications 
to hijgh-definition television. 

Several of the AES candidates appear to be extremely well 
designed. The better proposals have capitalized on the expe- 
rience of cryptographers who have studied block dphers for 
the past 20 years, including their knowledge of how to de- 
fend against linear and differential cryptanalyses. 

Of the 15 submissions, I believe more than a few would 
make credible encryption standards. MARS, which draws on 
the experience of IBM's original DES team, uses two very 
different structures for the encryption rounds. The mixed 
approach, the IBM cryptographers claim, will result in bet- 
ter security than that achieved with a homogeneous dphen 
CAST-256 extends the earlier CAST architecture to a 256-blt 
key and 128-bit block size. Twofish is more mathematically 
rigorous than its predecessor, Blowfish. Serpent deploys an 
imusual parallel design to make it as fast as PES, with a 
short time for key setup, which should enable the dpher to 
be. used effidently as a hash function. 

Dedpheiing the Future r^i 

Whichever candidate is selected, the AES promises to 
tip the balance further in favor of cryptographers in 
their ongoing arms race against cryptanalysts. Today the 
very best cryptosystems are beyond the reach of the best 
cryptanalytic methods known. Still, it is conceivable that 
powerful, new dpher-breaking techniques will be devdr 
oped in the coming years. Even so, many ayptologists con- 
tend that the gap between dpher makers and dpher break- 
ers will only widen. - - 
I agree with that assertion, in part because of the active 
community of cryptographers in academia and the private 
sector, which has grown and matured to reach parity with 
military expertise in the fidd. Evidence of this was supplied 
by the recent dedassification of the Skipjack dpher, which 
the NSA had devdoped in secrecy for the Clipper chip. A re- 
view by Technion's Biham, an academic cryptologist, re- 
vealed the algorithm to be less conservative, with a smaller 
margin of safety, than the best designs from academia. It 
appears that cryptography— like the Internet itself— has 
stepped from the dark shadows of the military into the 
bright sunshine of the free market. O 
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The Case against Regulating 
Encryption 




One of the pioneers of computer security says 

the U.S. government should keep its hands off cryptography 

by Ronald L. Rivest 



The widespread use of cryptography is a necessary 
consequence of the information revolution. With the 
coming of electronic cormnunications on computer 
networks, people need a way to ensure that conversations 
and transactions remain confidential. Cryptography pro- 
vides a solution to this problem, but it has spawned a heat- 
ed policy debate. U.S. government agencies want to restrict 
the use of data encryption because they fear that criminals 
and spies may use the technology to their own advantage. 

Before the 1970s, cryptography was too complicated and 
too e;5)ensive for everyday use. Two inventions changed 
this picture dramatically: public-key cryptography and the 
microprocessor. The idea of using public and private en- 
cryption keys— first proposed in 1976 by electrical engineers 
and computer scientists Whitfield Diffie, Martin E. HeUmian 
and Ralph C. Merkle— paved the way for the general use of 
strong cryptography, which scrambles messages so effective- 
ly that it would take many years of computer time to break 
the code. And the growing availability of fast miaoproces- 
sois gave more and more computer users the ability to make 
the calculations necessary for this kind of encryption. 

As strong cryptography became easily accessible in the 
late 1980s and early 1990s, two government agencies grew 
concerned about its widespread deployment. The National 
Security Agency (NSA), which monitors electronic conmiu- 
nications around the globe, worried that it would be unable 
to decipher the encrypted messages of potential spies and 
terrorists. Similarly, the Federal Bureau of Investigation 
feared that criminals in the U.S. would use the encryption 
software to thwart surveillance of their voice or data commu- 
nications. Over the past decade these agencies have pushed 
for government regulation of encryption technology and 
have favored the continuation of current restrictions on the 
export of strong encryption software. 

The govenunenf s concern is that the ^jad guys" will ben- 
efit from the new cryptographic technology. This is certain- 
ly possible— the sun shines on the evil as well as the good. 
But it is poor policy to clamp down indiscriminately on a 
technology merely because some criminals might be able to 
use it to their advantage. For example, any U.S. citizen can 
freely buy a pair of gloves, even though a burglar might use 
them to ransack a house without leaving fingerprints. 

I rather like the glove analogy; let me expand on it a bit. 
Cryptography is a data-protection technology just as gloves 
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are a hand-protection technology. Cryptography 
protects data from hackers, corpiorate spies and 
con artists, whereas gloves protect hands from 
cuts, scrapes, heat, cold and infection. The for- 
mer can frustrate FBI wiretapping, and the latter 
can thwart FBI fingerprint analysis. Cryptogra- 
phy and gloves are both dirt-cheap and widely 
available. In fact, you can download good 
cryptographic software from the Internet for 
less than the price of a good pair of gloves. 

Should the use of cryptography be restrict- • 
ed to satisfy the concerns of the NSA and the : 
FBI? It is true that these two agencies may find 
their ]obs more difficult as cryptographic tech- 
nology spreads. But we should also consider 
cryptography's benefits to society as a whole. 
Most people use cryptography to prevent crime 
rather than to hide it, Just as most people wear 
gloves to protect their hands rather than to hide 
their fingerpririts. By ensuring the confidentiality 
and authenticity of electronic banking and Inter- 
net commerce, "cryptography prevents theft and 
credit-card firaud. The vigorous application of cryp- 
tography may also improve national security: the en- 
cryption of communications, for example, protects 
U.S. businesses from industrial espionage. Paradoxically, 
we may create a safer society by promoting a technology 
that somewhat hampers law enforcement. 

Some have hoped for compromise solutions that would 
allow strong cryptography to be widely used while still en- 
abling the NSA and the FBI to decrypt messages when lawful- 
ly authorized to do so. For example, there have been key- 
escrow proposals that would require users to register their 
software encryptiori keys with law-enforcement agencies, and 
key-recovery proposals that would give government agencies 
backdoor access to the keys. In a typical key-recovery scheme, 
an encrypted version of the message encryption key is sent 
along with each message. An FBI-authorized key-recovery 
center can use a master backdoor key to decrypt the mes- 
sage key, which is then used to decrypt the message itself. 

In my opinion, these systems would satisfy no one. They 
are very easy to circumvent: spies and criminals could mod- 
ify the encryption software to disable the key-recovery fea- 
tures, or they could simply download alternative software 
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from the Internet. Key recovery would be very expensive, 
too. Someone would have to pay for creating, staffing and 
maintaining the key-recovery centers. But the most subtle 
and serious cost in the long run would be the erosion of con- 
fidence in the government resulting from an increased sense 
of "Big Brotherism." To get an idea of the intrusiveness and 
impracticality of key recovery, imagine that whenever you 
bought a pair of gloves you were legal- 
ly required to sew latex copies 
of your fingerprints onto 
-li^f.-iiM^^ i -.^^^ the gloves' fingertips! 




Key-recovery systems would also aeate substantial securi- 
ty risks. The system's most serious flaw is that the same back 
doors used by the FBI to decipher encrypted messages would 
become targets for criminals, hackers, spies and even dis- 
gruntled employees of the FBI itself. If criminals or hackers 
managed to penetrate a key-recovery center and steal a mas- 
ter backdoor encryption key, they would be able to decrypt 
Internet communications at will. Millions of corporate, per- 
sonal and government secrets would suddenly become vul- 
nerable to theft and tampering. 

In 1993 Congress asked the National Research Council to 
study U.S. cryptographic policy. The council then convened 
a blue-ribbon committee of 16 members. Its superb 1996 re- 
port, the result of two years' work, offered the following 
conclusions and recommendations: 

• "On balance, the advantages of more widespread use of 
cryptography outweigh the disadvantages." 

• "No law should bar the manufacture, sale or use of any 
form of encryption within the United States, " 

• "Export controls on cryptography should be progres- 
sively relaxed but not eliminated." /r - - 

The corrmiittee members concluded that a ban on unreg-f 
ulated encryption would be "largely unenforceable.'' But 
the FBI and the NSA continue to push for key recovery and 
to oppose the relaxation of export controls unless key re- 
covery is incorporated into the exported software. . j,, 

Strong cryptography only gets easier to implement— and 
harder to regulate — over time. Professional societies are 
adopting public cryptographic standards that even a hig$ 
school student can convert into programs. And new tech- 
niques such as "chaffing and winnowing" — ^which does ijot 
encr3^t a message but achieves confidentiality by hiding 
pieces of the message in a welter of random data, or cliaff— 
illustrate the enormous technical difficulties involved in try- 
ing to control cryptography. 

The economic consequences of our current policy are also 
becoming clearer. A recent study conducted by thie Econom- 
ic Strategy Institute, a think tank in Washington, DC, con- 
cluded that continuing the export controls on cryptograph- 
ic products will cost the U.S. economy more than $35 bil- 
lion over the next five years. My personal opinion is that 
the U.S. risks losing its leadership position in the software 
industry because of its restrictive export policy. 

Finally, the ability to have private conversations is in my 
view an essential democratic right. Democracy depends on 
the ability of citizens to share their ideas freely, without fear 
of monitoring or reprisal; this principle should be upheld as 
much in cyberspace as it is in the real world. For the U.S. to 
restrict the right to use cryptography would be a setback for 
democracy— and a victory for Big Brother. &a 



TheAiitJior 



Further Reading 



RONALD L. RIVEST is the co-inveritor 
of RSA encryption, the most widely used 
public-key cryptosystem. He is Edwin S. 
Webster Professor of Electrical Engineer- 
ing and Computer Science at the Massa- 
chusetts Institute of Technology and a 
founder of RSA Data Security (a subsidiary 
of Security Dynamics Technologies). 



CRYPTOGRAPHY'S ROLE IN SECURING THE INFORMATION SOCIETY. Edited by Kenneth 
W. Dam and Herbert S. Lin, National Research Council. National Academy Press, 
1996. The report can be found at http://www.nap.edu/readingroom/books/cxi5ls 
on the World Wide Web. ; Wit^fe 

THE Electronic Privacy Papers: Documents on the Battle for Privacy in the Age 
OF Surveillance. Bmce Schneier and David Banisar. John Wiley & Sons, 1997, 

Privacy on the Line: The PoLmcs of Wiretapping and Encryption. Whitfield 
Diffie and Susan Landau. MIT Press, 1998. 



The Case against Regulatifig Encryption Technology 



SCIENTinC AMERICAN October 1998 1 17 



